Security

Dovecot was designed since the beginning with security in mind and with
many ways to provide privilege separation. Although the code is written with C,
it's a little bit special C variant that makes it much more difficult to write
security holes accidentally than with most other C-based projects.

Below is the list of all security holes found from Dovecot. Note that most
of these are quite minor holes.

Nov 2008: ACL plugin has mainly been used for some simple ACLs and
sysadmin should have always tested that they work correctly. But as the
ACL plugin has recently been developed more, bugs have been found and
distro people have treated them as security holes. I think it's highly
unlikely anyone really cared about those. The brokeness of the
functionality would have been immediately obvious.